IT Briefcase Exclusive Interview: A Holistic Approach to IT Security with Jack Danahy, IBM Security Systems Division

The challenges organizations encounter in the world of IT Security are increasing by the day. Sometimes, even while putting their best efforts forward, it is difficult for businesses to keep up.

In the below interview, Jack Danahy from IBM Security Systems Division outlines ways in which organizations can begin to overcome security obstacles, and emphasizes the importance of taking a holistic approach to fighting the IT Security battle.

Q. As businesses cast themselves into the insecure world of IT, how can they begin to overcome the hurdles associated with security progressing faster than they can keep up with?

A. Businesses find themselves surrounded with technology, and more particularly, they find themselves inextricably connected through it.  The adoption of an increasingly interconnected infrastructure may not be a desire unto itself, but it is the means of satisfying an expanding set of requirements from customers and partners.  With each new connection and service offered, organizations need to do three things.  First, they need to understand what data or services they are sharing, and the ways in which they will present those assets to users.  Second, they need to think about risk, looking for ways to minimize their exposure in order to simplify the task of protection.  Third, they need to choose security strategies and solutions that they can understand, because mismanaged or misunderstood security can be as bad a no security at all.  The increasing challenges of security are often related to the increasing complexity of the environments that we are creating, and we can reduce the volume of our security concerns by better managing the pace at which we choose to increase our own exposure.

Q. With security challenges differing across industries, how can we create solutions that are industry specific, yet universal enough to help organizations across the board?

A. The basic security challenges of privacy, availability, integrity, and control, are very similar across most industries, both in their definition and their application.  What does vary is the priority that each of these attributes carries.  As a result, the solutions that we build and the ways that we manage and monitor them must be flexible, allowing users to tailor their protections according to the particular need.  The same set of challenges exists within organizations as well.  The financial systems within a firm, as an example, must maintain a very high level of integrity, in order to successfully run the business and to satisfy requirements from Directors and Regulators.  At the same time, there may very well be systems that control manufacturing processes or that maintain heating or cooling levels in critical areas.  These systems all have a different balance of priorities.  In order to empower organizations to apply their knowledge and their own management imperatives to the security challenge, products must be delivered that do not simply dictate a certain level of protection, or diminish the importance of any security characteristic.  As a partner, and as a provider, IBM is constantly striving to be sure to offer a combination of security and flexibility in its solutions.

Q. What advice can you offer to help businesses stay abreast of the many technologies that must be taken into account when trying to keep organizations safe and secure?

A. My primary advice may seem counterintuitive, considering my role, but I recommend that businesses resist the temptation to start with technology.  There is a natural tendency to acquire security technologies in the same way that people who feel that they need more exercise will run out and buy a treadmill.  While the treadmill is at least a convenient hanging place for towels and laundry, tools that are inappropriate or operationally beyond the capabilities of staff become little more than shelfware.

So, before acquiring security technologies to protect yourself, my advice is to first think very hard about what your critical and interconnected systems mean to the operation of your business.  How do you currently manage them, and how do you expect to secure them in the future? I ask organizations to think about their staff beyond the security team; to their users, developers, managers, and executives.  What kind of interest, willingness, and capability do they bring to the organization’s security effort? A  well established sense of organizational needs and capabilities will ultimately make security a more tractable issue.

Q. Why is taking a “holistic” approach to IT security today so important?

A. In the early years of internetworking, the concept of the perimeter was a useful line of demarcation, through which security could be understood and measured.  The interior was considered to be relatively safe, while the outside was unknown and untrusted.  Today’s IT security needs are very different.  Mobile devices, cloud computing, and a new generation of more sophisticated attacks have eliminated the comforting fiction of a trusted and clean internal network.  Perimeters are gone.

As a result of these changes, security has to be managed at a more consistent level across the enterprise, and this must integrate the target protections ( data, systems, services ) and  the security controls ( monitoring, access control, security testing ).  A holistic model, which is informed by business needs as well as an understanding of the infrastructure and internetworking, is the way to make this practical and effective.

Q. What is the overall message you would like to portray about the products and services IBM Security Systems has to offer today?

A. As organizational IT has become more diverse and complex it has had a compounding effect on the difficulty and complexity of managing security. IBM has recognized that the first need among our clients and the market is to make this challenge comprehensible, to make it tractable.  We are focused on the integration of our security products and services into a platform that can maximize value by simplifying security decision-making and response.  We see this as the natural and necessary evolution of security management which we call security intelligence.

Working everyday with security teams across industries and geographies, I can tell you that I am no longer asked simple questions about firewalls, or access control, or even application security.  I am being asked about a broader type of security, and about ways in which to view security across all of these capabilities and more.  Our IBM belief is that real advancement in security is driven by an informed balance, and by a view of protection that recognizes the need to mitigate cost as well as risk.

Jack Danahy is the Director for Advanced Security within IBM’s Security Systems Division, and is an international speaker and writer on topics of software, system, and data security. Jack is the original founder and CEO of two successful security software companies: Ounce Labs, sold to IBM in July of 2009, and Qiave Technologies, sold to Watchguard Technologies in 2000.  He holds five patents in a variety of security technologies including secure distributed computing, software analysis, and secure system management.  He is a distinguished fellow in the highly respected Ponemon Institute, a Computerworld Honors Laureate, and has contributed to the development of legislation on computer security in both the U.S. House and Senate.  He is concerned and active within the public and private sectors on issues of cyber security, secure systems development and acquisition, and the strategic balance between business needs and security controls.